Add an API to get the signer of an OCSP response

Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ce5886dda80b6f60fb30762381506d5c6f2d995c)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4723)

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 809f7f41e13bbdd0f7de776fcaa7c2849167984d..89147d93ae9f1ac72b8cc21ddc328d5b8b576b9e 100644 (file)
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -138,6 +138,15 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
     goto end;
 }
 
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+                     STACK_OF(X509) *extra_certs)
+{
+    int ret;
+
+    ret = ocsp_find_signer(signer, bs, extra_certs, 0);
+    return (ret > 0) ? 1 : 0;
+}
+
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
                             STACK_OF(X509) *certs, unsigned long flags)
 {

diff --git a/doc/crypto/OCSP_resp_find_status.pod b/doc/crypto/OCSP_resp_find_status.pod
index 36f66a858f64bd1aae0f7dd89594c9983ffac8bb..3a6e7471581212f771c6203941648af09fca9b29 100644 (file)
--- a/doc/crypto/OCSP_resp_find_status.pod
+++ b/doc/crypto/OCSP_resp_find_status.pod
@@ -3,6 +3,7 @@
 =head1 NAME
 
 OCSP_resp_get0_certs,
+OCSP_resp_get0_signer,
 OCSP_resp_get0_id,
 OCSP_resp_get0_produced_at,
 OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
@@ -32,6 +33,9 @@ OCSP_single_get0_status, OCSP_check_validity
 
  const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
 
+ int OCSP_resp get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+                           STACK_OF(X509) *extra_certs);
+
  int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                        const ASN1_OCTET_STRING **pid,
                        const X509_NAME **pname);
@@ -72,7 +76,13 @@ single response B<bs>.
 
 OCSP_resp_get0_certs() returns any certificates included in B<bs>.
 
-OCSP_resp_get0_id() gets the responder id of <bs>. If the responder ID is
+OCSP_resp_get0_signer() attempts to retrive the certificate that directly
+signed B<bs>.  The OCSP protocol does not require that this certificate
+is included in the B<certs> field of the response, so additional certificates
+can be supplied in B<extra_certs> if the certificates that may have
+signed the response are known via some out-of-band mechanism.
+
+OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
 a name then <*pname> is set to the name and B<*pid> is set to NULL. If the
 responder ID is by key ID then B<*pid> is set to the key ID and B<*pname>
 is set to NULL.
@@ -99,6 +109,9 @@ B<id> was not found.
 OCSP_single_get0_status() returns the status of B<single> or -1 if an error
 occurred.
 
+OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
+or 0 on error.
+
 =head1 NOTES
 
 Applications will typically call OCSP_resp_find_status() using the certificate

diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index f2281c08a227e91fa2b912b806a951caeec9af9c..90ebe5ccd05e49af4b097ae3634e71a46a9ad97c 100644 (file)
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -194,6 +194,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp);
 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
 
 const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+                          STACK_OF(X509) *extra_certs);
 
 int OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);